- Added Rule PI-011: Tool misuse or unauthorized side effects (high) — flags prompts that try to force tool, function, or command execution without operator approval.
- Added Rule PI-012: Credential or secret phishing (critical) — flags requests for passwords, reset codes, OTPs, API keys, tokens, or other credentials.
Rationale: Extend coverage to tool-forcing and credential-phishing vectors surfaced while expanding the scanner demo corpus. (Backfilled entry: this version shipped in commit `fff7e80` directly on main, bypassing the PR-only changelog check; recorded here to restore the audit trail.)
- Modified Rule PI-001: Expanded regex to catch "all/any previous" permutations and synonyms so multi-word override attempts are blocked.
- Modified Rule PI-002: Added tolerance for filler words between leak verbs and pronouns (e.g., "Show me your...") to mirror public jailbreak phrasing.
Rationale: Align coverage with real-world jailbreak transcripts referenced in the CLI test suite.
- Added 10 core detection rules
- Coverage areas:
- Direct instruction override (PI-001)
- System prompt extraction (PI-002)
- Role manipulation (PI-003)
- Delimiter manipulation (PI-004)
- Encoded payload indicators (PI-005)
- Developer mode activation (PI-006)
- Jailbreak patterns (PI-007)
- Safety filter bypass (PI-008)
- SQL injection patterns (PI-009)
- Excessive repetition (PI-010)
Initial Release
Rationale: Establish baseline detection coverage for common prompt injection attack vectors.